GHSA-r9jw-mwhq-wp62

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9jw-mwhq-wp62/GHSA-r9jw-mwhq-wp62.json
Aliases
Published
2022-05-13T01:42:19Z
Modified
2022-09-22T04:13:00.945873Z
Details

In PyJWT 1.5.0 and below the invalid_strings check in HMACAlgorithm.prepare_key does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.

References

Affected packages

PyPI / pyjwt

pyjwt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
1.5.1

Affected versions

0.*

0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.2.3
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3

1.*

1.0.0
1.0.1
1.1.0
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0